Conducting Productivity Audits

One of the activities I've invested considerable time in over the past 6 or so years is Learning Impact Audits. It's an opportunity for organisations to reflect on their learning culture, assess where they are now, where they want to go, and steps to get there, with the help of an external, unbiased view and evidence-based tools. Organisations want an audit for different reasons ranging from 'We want to improve our elearning' to 'We want to change the way we make decisions about learning and performance' to 'We want to align learning strategy with business strategy'. Pinning down the outcome at the start is vital because when it's clear and agreed it's easy to assess the impact of the audit and the applied recommendations later. The process of the audit is similar but the final impact can turn out to be very different depending on who is involved and what's at stake. The experience of involving stakeholders is a strong datapoint in itself. My experience is that when senior people are willing to participate in the audit there's more buy-in later to make relevant and observable change (this isn't rocket science). What is formally reviewed varies including strategies, designs, communications, session plans, resources, evaluations, impact surveys, live sessions, processes, technology etc. But the 'spaces between' provide valuable insights too - the conversations I have with people reveal unrecorded habits, practices and assumptions providing opportunities to dig deeper, challenge and praise. I use the DNA of a learning culture as the entry point for scoping an audit and then apply other evidence-based tools to dive deeper and finally make practical, relevant recommendations for change. I feel an emotional challenge when I recommend that people change what they've been doing because most people are already doing the best they know how, so that's balanced with the evidence about what is working. It's vital to asssess learning culture from where it currently is and not impose an impossible ivory tower solution. It's a joy when people come back to me after they've taken on my recommendations to tell me that: 😀 engagement is up 🏆 they feel more confident and credible 👍 management buy-in has improved 💲 they got more budget 📈 learning is more aligned with the business ⚙️ decision making is easier 🔎 they're better able to measure their own impact. But just a reminder - just like learning - there is no magic wand 🪄 ! After an audit L&D teams need to put in the work to make changes and that takes time, commitment, effort and motivation. 'If you want the rainbow - you gotta put up with the rain' Dolly Parton 🌈

Internal Audit Report Writing & The Minto Pyramid Principle One of the most powerful tools I’ve used over the past 8 years is the Minto Pyramid Principle—a structured thinking and writing approach developed by Barbara Minto at McKinsey. Here’s how it applies beautifully to internal audit reporting: - Top of the Pyramid – Start with the conclusion > Clear, action-oriented IA recommendations. * “Perform monthly reconciliation ...” - Middle Layer – Support with key arguments > These are IA observations and their root causes. * High aging of balances, umatched balances - Bottom Layer – Back it up with data to add credibility to the arguments > Evidence from sample testing, data analytics, or control walkthroughs. * 30% of balances > 365 days Why this works? - It forces auditors to think clearly, not just write clearly. - Avoids vague phrases like “strengthen the process” or “lack of controls”. - Drives action with precise expectations. Start every recommendation with a verb. E.g., “Implement a formal maker-checker for…” or “Restrict access to…” Structured thinking = Clear communication = Stronger impact. #InternalAudit #AuditReporting #StructuredThinking #MintoPyramid #RiskManagement #IAExcellence #DataDrivenAudit #AuditTips #LeadershipInAudit

Great audits don’t happen by chance—they happen through a disciplined SOP that turns risk into assurance. A well-defined Audit SOP (Standard Operating Procedure) is the foundation of a high-impact internal audit function. From risk assessment to governance oversight, every stage must be structured, evidence-driven, and aligned to business objectives. This redesigned framework highlights how modern audit teams move through a step-by-step lifecycle: 🔹 Audit planning with clear scope and objectives 🔹 Risk prioritization based on likelihood and impact 🔹 Audit program design with testing strategies 🔹 Fieldwork, walkthroughs, and evidence collection 🔹 Control design and operating effectiveness validation 🔹 Reporting with actionable recommendations 🔹 Management response and ownership tracking 🔹 Follow-up, remediation, and closure validation 🔹 Documentation, audit trail, and quality assurance 🔹 Audit committee reporting and governance oversight What makes this model stronger is its focus on three key outcomes: ✅ Accuracy – Reduce errors through standardized execution ✅ Efficiency – Improve productivity with repeatable workflows ✅ Assurance & Control – Strengthen governance and risk visibility The real value of audit SOPs is not only consistency, but the ability to transform audit activities into business insights, control confidence, and leadership assurance. In today’s environment, mature audit teams combine SOP discipline with: ✔ Risk-based testing ✔ Evidence traceability ✔ Continuous monitoring ✔ Clear accountability ✔ Faster remediation cycles ✔ Better board reporting A strong audit SOP doesn’t just improve audit quality—it improves trust across the enterprise. Kalesha & co Next Gen Assure #InternalAudit #AuditSOP #RiskManagement #GRC #Compliance #Governance #InternalControls #AuditCommittee #OperationalRisk #Assurance #Leadership #BusinessRisk

We want to show impact. But how do we prove it? South Africa’s Department of Planning, Monitoring and Evaluation Guideline on Impact Evaluation is a useful guide. It’s a model for governments serious about linking budgets to results, not just activities. Here’s why it works (and what others can learn from it): ✅ It starts with the question, not the method. Before jumping to Randomised Controlled Trials (RCTs) or comparison groups, the guideline asks... What decision will this evaluation inform? That’s how you avoid spending months collecting data that no policymaker actually uses. ✅ It distinguishes “performance monitoring” from “impact evaluation.” Monitoring tells you if activities happened; impact evaluation tells you what changed because of them. Blurring the two leads to endless reporting without learning. ✅ It embeds evaluation into government systems. Impact evaluation isn’t treated as an external audit, it’s built into how ministries plan, budget, and learn. That institutional setup is what makes evidence sustainable, not donor-dependent. ✅ It makes room for mixed methods. Instead of presenting quantitative counterfactuals as the gold standard, it shows how to combine numbers with narratives, giving a more complete picture of impact. The takeaway? You don’t need to reinvent the wheel to prove impact. You just need systems that ask the right questions, collect the right evidence, and connect it back to decisions. --- 🔥 Join my FREE mailing list to get content straight in your inbox Sign up here: https://lnkd.in/ec8mqV2M #ImpactEvaluation

Many audit projects are often incomplete, as they only assess the operating effectiveness of controls. This could position internal audit providing assurance that "the wrong thing was done in the right way.” To address this issue, more time should be allocated during the audit project planning and fieldwork stages to evaluate the design of the process being audited. Here are four methods to accomplish this. 1. Does the process incorporate all five components of internal control - control environment, risk assessment, control activities, information and communication, and monitoring? 2. Are there any external resources from which you can obtain data to identify any missing steps or to understand the latest methods of managing this process? Associations related to the topic or consulting firms that specialize in this area could be good sources of such information. 3. Were there any significant or newsworthy events that demonstrated the effectiveness or ineffectiveness of this process, from which one could derive how the process should function? 4. Could you interview individuals from three to four other companies of similar size or in the same industry to understand how they conduct and manage their processes? The insights and information gained from these four steps may provide for: - a more comprehensive internal audit project - enhance the performance of your Internal Audit team - more opportunities to enable positive change in your organization AuditBoard #InternalAudit #ConnectedRisk #EnablingPositiveChange

The IT Audit Life Cycle: Driving Confidence Through Continuous Assurance Effective IT audit is not a point-in-time exercise—it is a continuous, structured process designed to strengthen governance, manage risk, and enable informed decision-making. The IT Audit Life Cycle illustrates how value is created at every stage: 1- Audit Planning – Aligning objectives with business strategy and regulatory expectations 2- Risk Assessment & Scoping – Focusing efforts on what matters most 3- Fieldwork & Control Testing – Evaluating design, effectiveness, and impact 4- Issue Validation & Communication – Delivering clear, risk-focused insights 5- Follow-Up – Ensuring remediation, accountability, and closure When these phases operate as a cohesive cycle, IT audit becomes a strategic partner—not just a control function. 🔹 Strong audits build trust 🔹 Clear insights enable better decisions 🔹 Continuous follow-up drives sustainable improvement This life cycle reinforces a critical truth: audit excellence is achieved through consistency, collaboration, and continuous evolution. #ITAudit #InternalAudit #TechnologyAudit #TechnologyRisk #RiskManagement #EnterpriseRiskManagement #ERM #Governance #CorporateGovernance #GRC #CyberSecurity #CyberRisk #CyberResilience #InformationSecurity #DataProtection #Compliance #RegulatoryCompliance #InternalControls #ControlTesting #DigitalTransformation #OperationalExcellence #Leadership #ContinuousImprovement #Assurance

Not every audit finding creates impact. Some get ignored, some spark endless debate, and some simply get lost in the report. The difference lies in how the finding is structured. An effective audit finding should do more than highlight a flaw — it should guide management toward meaningful action. Here’s the anatomy of a finding that truly works: 1. Clear Issue – State the problem plainly, without jargon. Anyone reading it should immediately understand what’s wrong. 2. Evidence-Based – Back it up with solid data, samples, or documentation. A finding without evidence is just an opinion. 3. Risk Impact Explained – Go beyond the symptom. Explain the risk: what could go wrong, and how it affects operations, finances, or reputation. 4. Actionable Recommendation – The most critical part. Propose solutions that are practical, realistic, and add value. When these four elements come together, a finding is no longer just an observation. It becomes a driver of transformation — helping the organization strengthen controls, reduce risk, and improve performance. Because in the end, the true measure of audit is not how many findings we report, but how much positive change those findings create. #Audit #InternalAudit #Governance #RiskManagement #Compliance #Leadership #BusinessExcellence

Dear IT Auditors, Testing change management for production systems Production incidents rarely start with a system failure. They start with an uncontrolled change. Your audit should reveal to leaders where discipline breaks down and risk enters the environment. You focus on execution, not policy language. You test how changes move from request to deployment. You look for proof. You look for accountability. 📌 Start with the change inventory You obtain a complete list of production changes for the audit period. You include emergency, standard, and normal changes. You confirm the list matches deployment logs and system activity. You flag gaps early. 📌 Validate approvals You test if approvals occurred before implementation. You confirm approvers had the right authority. You review timestamps. You identify rubber-stamp behavior. You highlight changes approved after deployment. 📌 Test segregation of duties You verify that developers do not approve their own changes. You confirm production access aligns with role expectations. You focus on high-risk systems like financial platforms and customer data stores. You show where one person controls the entire process. 📌 Review testing evidence You check if changes passed testing before production release. You review test results and environments used. You confirm testing reflects real production conditions. You flag missing or reused test artifacts. 📌 Analyze emergency changes You isolate emergency changes. You confirm justification and approval timing. You check if teams completed the post-implementation review. You identify emergency processes used as shortcuts. 📌 Inspect deployment methods You review how changes enter production. You compare manual releases with automated pipelines. You verify logging and traceability. You flag deployments with no audit trail. 📌 Validate backout and recovery plans You check if rollback steps exist. You confirm that teams tested them. You identify changes deployed without recovery options. You show leaders where outages become likely. 📌 Close with risk-focused reporting You group findings by impact. You link control gaps to downtime, data exposure, or compliance failure. You give leadership clear actions and ownership. #ITAudit #ChangeManagement #InternalAudit #CybersecurityAudit #DevOpsRisk #GRC #CloudAudit #RiskManagement #ITGovernance #AuditLeadership #ProductionSystems #CyberVerge

Prepare a value-adding audit plan ____________  To prepare a comprehensive and value-adding audit plan as a future-ready internal auditor, you must go beyond ticking boxes. The process visualised is powerful—but its real strength lies in how it is executed. Begin with the right mindset: Risk is the language of relevance Think like this: a hyena doesn’t waste time chasing a lion. It stalks weakness. A future-ready auditor doesn’t waste time on routine. You stalk risk. You audit what could collapse the business—not what’s comfortable to audit. Step 1: Gather powerful inputs (THE CONTEXT) From the funnel’s base, you notice four key inputs: a) Risk assessment information from management – This is often biased. Use it, but don't trust it blindly. Triangulate with external trends, whistleblower reports, fraud cases, and regulatory pressure points. Ask: What are the elephants in the boardroom? b) Evaluate inherent risk – Focus on where failure is most likely, before controls. If your organization is launching new digital products, inherent risk in cybersecurity and data privacy is high—make that a priority. c) Knowledge base – Include industry risk trends, recent fraud cases, ESG concerns, and cybersecurity alerts. For example, AI risks, third-party risk, and ESG misreporting are rising. d) External and state audit reports – Extract recurring themes. If external auditors have flagged procurement irregularities for 3 years, it's time to go deeper. Step 2: Validate your universes (THE SCOPE) Now refine your battlefield: a) Process universe – Map all key business processes enterprise-wide. This includes digitized processes and outsourced operations. Ask: Which processes are core to value creation? Which are vulnerable to disruption? b) Risk universe – Use a structured framework like COSO or ISO 31000. Build a heat map not just of likelihood/impact but also velocity (how fast a risk can strike) and persistence (how long the damage lingers). c) Location universe – Don’t assume risk is evenly distributed. Some branches or regions may be compliance disasters. Prioritize. Step 3: Prioritize and draft the plan (THE STRATEGY) This is where value is won or lost. a) Don’t spread audits thin. Focus 80% of effort on 20% of high-risk, high-impact areas. b) Introduce thematic audits. For example: Cyber Resilience Audit, ESG Assurance Review, AI Ethics & Governance Audit. c) Link audits to strategic risks. Review the strategic plan. If growth depends on a new digital platform, audit platform governance, scalability, uptime, and security. d) Use data analytics and automation in scoping. Let your audit plan show you're using dashboards, not dusty checklists. Step 4: Discuss with Executive Staff (THE ALIGNMENT) Present your draft audit plan like a business advisor—not a fault-finder. a) Align each audit with a strategic goal. E.g., “This audit helps secure our expansion into the Northern Region by ensuring fraud-proof revenue systems.” To be continued..